AUD507: Auditing & Monitoring Networks, Perimeters & Systems

This course not only prepares you to perform a comprehensive audit but also provides excellent information to operations for improve network security posture.

Rifat Ikram, State Dept. FCU

The entire course has been fantastic it far exceeded my expectations. I think SANS training is far superior to other training programs.

Paul Petrasko, Bemis Company

One of the most significant obstacles facing many auditors today is how exactly to go about auditing the security of an enterprise. What systems really matter? How should the firewall and routers be configured? What settings should be checked on the various systems under scrutiny? Is there a set of processes that can be put into place to allow an auditor to focus on the business processes rather than the security settings? How do we turn this into a continuous monitoring process? All of these questions and more will be answered by the material covered in this course.

This track is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high level audit issues and general audit best practice, the students will have the opportunity to dive deep into the technical "how to" for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to verify these controls in a repeatable way and many techniques for continuous monitoring and automatic compliance validation will be given from real world examples.

One of the struggles that IT auditors face today is assisting management to understand the relationship between the technical controls and the risks to the business that these affect. In this course these threats and vulnerabilities are explained based on validated information from real world situations. The instructor will take the time to explain how this can be used to raise the awareness of management and others within the organization to build an understanding of why these controls specifically and auditing in general is important. From these threats and vulnerabilities, we will explain how to build the ongoing compliance monitoring systems and how to automatically validate defenses through instrumentation and automation of audit checklists.

You'll be able to use what you learn the day you get home. Five of the six days in the track will either produce or provide you directly with continuous monitoring scripts and a general checklist that can be customized for your audit practice. Each of these days includes hands-on exercises with a variety of tools discussed during the lecture sections so that you will leave knowing how to verify each and every control described in the class and know what to expect as audit evidence. Each of the five hands on days gives you the chance to perform a thorough technical audit of the technology being considered by applying the checklists provided in class to sample audit problems in a virtualized environment.

A great audit is more than marks on a checklist; it is the understanding of the what the underlying controls are, what the best practices are and why. Sign up for this course and experience the mix of theory, hands-on, and practical knowledge.

Course Syllabus

AUD507.1: Effective Auditing, Risk Assessment, Reporting

Overview

After laying the foundation for the role and function of an auditor in the information security field, this day's material will give you two extremely useful risk assessment methods that are particularly effective for measuring the security of enterprise systems, identifying control gaps and risks, and assisting you to recommend additional compensating controls to address the risk. Nearly a third of the day is spent covering important audit considerations and questions when dealing with virtualization and with Cloud Computing.

In today's information security world, most enterprises are either already moving toward or seriously considering moving toward compliance with any number of a variety of security standards that represent best practice. Is your organization doing this today? Are you running up against any road blocks? Despite implementing controls, are you still dealing with significant compliance problems? The risk assessment discussions covered in this material is for you. One of the key topics covered in this material is an effective risk based method for the specification or selection of controls. Following this discussion, you will be able to analyze an existing set of controls, a business process, an audit exception or a security incident, identifying any missing or ineffective controls. More importantly, perhaps, you will be able to easily identify what corrective actions will eliminate the problem in the future. Included in this material is a tried and true method for conducting audits and presenting findings that will assist the organization to move toward compliance effectively.

The last two sections of the day are spent digging into virtualization solutions. After first examining some of the huge issues and the biggest questions facing us when it comes to Cloud Computing, we dig into significant audit considerations when dealing with the market leader in private cloud implementations and enterprise virtualization solutions: VMWare.

CPE/CMU Credits: 6

Topics

Auditor's Role in Relation to

Policy Creation

Policy Conformance

Incident Handling

Basic Auditing and Assessing Strategies

Baselines

Time Based Security

Thinking like an Auditor

Developing Auditing Checklists from Policies and Procedures

Effective risk assessment

Risk Assessment

Standards Adoption

Identifying Existing Controls

Determining Root Failure Causes

Using Risk Assessment to Specify New Controls

The Six-Step Audit Process

How the Steps Interrelate

How to Effectively Conduct an Audit

How to Effectively Report the Findings

Virtualization & Cloud Computing

Definitions

Challenges

Important contractual requirements

Technical testing of deployments

VMWare vSphere/ESXi auditing hands-on

AUD507.2: Effective Network & Perimeter Auditing / Monitoring

Overview

Enterprise networks are under constant assault. A key foundation in the security of our enterprise is created by ensuring that we have a validated secure perimeter. As easy as this is to say, organizations struggle with this constantly. Forces such as wireless technologies, enterprise VPNs, business partner connections, BYOD policies and more can all erode the security of our perimeter networks.

In this day we will build from the ground up, dealing with security controls, proper deployment, effective auditing continuous monitoring of configuration from Layer 2 all the way up the stack. Students will learn how to identify insecurely configured VLANs, how to determine perimeter firewall requirements, how to examine enterprise routers and much more.

Many auditors confess that networking is one of their weakest topics. Therefore, each technology is fully explained using simple, every day illustrations. Each topic is then placed into a risk driven framework for securing a network long term and discussed in the context of a real security organization. What role does the security officer play? How do we reconcile security concerns with operational requirements? What questions should a security auditor be asking? What should the answers to those questions be? How does continuous monitoring fit in and how do you architect those processes?

Many students describe this as the most difficult day of the entire course but the day that fills in all of the gaps that they have in networking technology, whether fundamentals, routers, switches, wireless or firewalls.

CPE/CMU Credits: 6

Topics

Secure Layer 2 Configurations

VLANs

Spanning Tree

Network Trunking

Switching Fiber Security

Router & Switch Configuration Security

Remote Administration

Logging Concerns and Practice

ACL Configuration & Validation

User Management

Evolving Technologies

Firewall Auditing, Validation & Monitoring

Information Flow Diagramming

Converting Requirements to ACLs

Understanding Firewall Design

Network Architecture Validation

Rules Review& Analysis

Technical Validation of the Firewall Rules

Next Generation Firewalls

Wireless

Secure Deployments Today

Identification of Wireless Security Issues

Network Population Monitoring

Robust Process for Node Identification

Network Population Change Management & Monitoring

Automated Notification Processes

Vulnerability Scanning

Effective Scanning

Effective, Business Aligned, Reporting

AUD507.3: Web Application Auditing

Overview

Web Applications have consistently rated one of the top five vulnerabilities that enterprises face for the past several years. Unlike the other top vulnerabilities, however, our businesses continue to accept this risk since most modern corporations need an effective web presence to do business today. One of the most important lessons that we are learning as an industry is that installing an application firewall is not enough!

A portion of the morning will cover all of the underlying principles of web technology and introduce a set of tools that can be used to validate the security of these applications. Throughout the day, all of the OWASP Top Ten issues will be addressed, abstracted into five practical principles of web application design and deployment. The majority of the day will be spent building and working through a checklist for validating the existence and proper implementation of controls to mitigate the primary threats found in web applications through the use of cutting edge techniques and advanced testing methods. Throughout the material time is spent identifying key development requirements, allowing you to provide meaningful feedback into your organization's coding standards.

Several discrete web applications will be examined using these tools and the audit program developed. By the end of the day each student will use the provided high level checklist and detailed instructions throughout the day to perform a comprehensive validation of security controls in at least one full web application.

In addition to designing an audit testing program, time will be spent discussing process remediation for project managers and coding teams.

CPE/CMU Credits: 6

Topics

Identify controls against information gathering attacks

Process controls to prevent hidden information disclosures

Control validation of the user sign-on process

Examining controls against user name harvesting

Validating protections against password harvesting

Best practices for OS and web server configuration

How to verify session tracking and management controls

Identification of controls to handle unexpected user input

Server-side Techniques for Protecting Your Customers and Their Sensitive Data

AUD507.4: Advanced Windows Auditing & Monitoring

Overview

Microsoft's business class system make up a large part of the typical IT infrastructure. Quite often, these systems are also the most difficult to effectively secure and control because of the enormous number of controls and settings within the operating system. This class gives you the keys, techniques and tools to build an effective long term audit program for your Microsoft Windows environment. More importantly, during the course a continuous monitoring and reporting system is built out, allowing you to easily and effectively scale the testing discussed within your enterprise when you return home.

During the course of this day, attendees will have the opportunity to perform a thorough hands on audit of Active Directory servers in class, in addition to the laptop that they bring to class. In addition to covering all of the major audit points in a stand alone Windows system, the course will scale these methods for use within a domain. One of the primary goals of the material presented is to allow the auditor to get away from checking registry settings, helping administrators to create a comprehensive management process that automatically verifies settings. With this type of system in place, the auditor can step back and begin auditing the management processes which generally helps us to be far more effective.

Finally, the course will spend a significant amount of time discussing the more important aspects of Active Directory from an auditor's perspective. We will cover and give you the opportunity to try your hand at querying useful data out of the Active Directory. Throughout the day we will work to build a comprehensive baseline auditing script to automatically audit all of the systems within a domain.

CPE/CMU Credits: 6

Topics

Progressive construction of a comprehensive audit program

Basic system information

Patch levels

Network based services

Local services

Installed software

Security configuration

Identifying & mitigating system specific vulnerabilities

Group policy management

Log aggregation, management and analysis

Automating the audit process

Windows security tips and tricks

Maintaining a secure enterprise

AUD507.5: Advanced UNIX Auditing & Monitoring

Overview

Students will gain a deeper understanding of the inner workings and fundamentals of the Unix operating system as applied to the major Unix environments in use in business today. Students will have the opportunity to explore, assess and audit Unix systems hands-on. Lectures describe the different audit controls that are available on standard Unix systems, as well as, access controls and security models.

The majority of the day will be spent working hands on with the instructor to create a comprehensive set of auditing scripts that can be used on virtually any Unix system. This set of scripts can be used to either check the security of a system, report on the compliance of the system to a baseline or be used in a change control process to validate a system before patching and subsequently re-generate the system baseline.

Neither Unix nor scripting experience is required for this day's course. The course book and hands on exercises present an easy to follow method with the assistance of the instructor that will allow you to cover scripting and more advanced topics like regular expressions.

CPE/CMU Credits: 6

Topics

Auditing to Create a Secure Configuration

Building Your Own Auditing Toolkit

File Integrity Assessment

Fine Points of 'find'

Regex Basics

Auditing to Maintain a Secure Configuration

Reading Logfiles

Password Assessment Tools

Risk Assessment

What Tools to Use

How to Go About It

Building a Baseline

Building an Audit Script

Auditing with Accreditation Systems

Auditing to Determine What Went Wrong

Finding Hidden Disk Space

Event Reconstruction

Identifying Back Doors

Anatomy of a Rootkit

Creating a Unix Tools CD

AUD507.6: Audit the Flag: A NetWars Experience

Overview

This final day of the course presents a capstone experience with additional learning opportunities. Leveraging the well known NetWars engine, students have the opportunity to connect to a simulated enterprise network environment. Building on the tools and techniques learned throughout the week, each student is challenged to answer a series of questions about the enterprise network, working through various technologies explored during the course.

This allows students to immediately put the knowledge gained into practice with these guided challenges. At the conclusion of the day, students are asked to identify the most serious findings within the enterprise environment and to suggest possible root causes and potential mitigations.

CPE/CMU Credits: 6

Topics

Technologies included in the capstone challenges include:

Network Devices

Firewalls

Cisco Switches & Routers

Servers

Active Directory domain controllers

DNS servers

Mail servers

Web servers

Applications

Intranet web applications

Internet web applications

Workstations

Additional Information

Laptop Required

Audit 507 requires that you bring a fairly modern laptop running 64 bit Windows 7 Business, 64 bit Windows 8 Business or 64 bit Windows 10 operating system. Your computer should additionally have a minimum of 2 gigabytes of RAM, though 4 gigabytes or more is preferred. A computer not meeting the RAM and operating system requirements will not be able to run all of the hands-on exercises. Your computer will also need the ability to mount a USB stick and a wireless adapter for you to participate in the exercises in class.

Your laptop must be capable of running the most current version of VMware Player (http://www.vmware.com/products/player/). It is strongly advised that you attempt to download and install VMware Player before coming to class to verify that your laptop can indeed run it successfully. Additionally, the Virtualization Extensions (VT-x) must be enabled in the BIOS of the computer. This is one of the items that is overlooked when your helpdesk sets up a loaner laptop to bring to the class.

It is absolutely necessary that you have full administrative rights on your computer for this class. We would strongly recommend that you work with your help desk to have a clean laptop built for the purpose of attending this class. Full administrative rights means that you will need the ability to install software, change system settings, manipulate the registry, possibly disable antivirus, etc. The user account that you are using on your laptop should be in the Local Administrators group. Of course, you can meet this requirement by bringing a laptop with VMware Player already installed and a Windows XP or higher virtual machine installed inside of a virtual machine to which you have full and complete access.

Utilize scripting to build a system to baseline and automatically audit Active Directory and all systems in a Windows domain

Author Statement

The SANS Advanced Systems Audit track stands alone in the Information Assurance arena as the only comprehensive source for hands on audit "How To." Past students have included long time auditors and those new to the field, both of whom have found significant benefit from the refresher material. One individual, a vice president with the IIA (Institute of Internal Auditors) said, "I've been auditing systems for a very long time and no one ever actually gave me a formal process that I can apply to conducting technical audits. Thank you!" While we don't require a high level of technical experience as a prerequisite to this course, we have worked hard to make sure that anyone who comes to the course walks away with a wealth of material that they can go back to their office and apply tomorrow. We realistically address the "How do I get there from here?" problem by offering short-term goal solutions which, when combined, will allow you to achieve your goal: identify, report on and reduce risk in your enterprise. - DAVID HOELZER